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ps| , Abstract 

^ ■ Recently, an image encryption scheme based on chaotic standard and logistic maps was proposed 
Q . by Patidar et al. It was later reported by Rhouma et al. that an equivalent secret key can be 
reconstructed with only one known/chosen-plaintext and the corresponding ciphertext. Patidar 
■ et al. soon modified the original scheme and claimed that the modified scheme is secure against 
Rhouma et al.'s attack. In this paper, we point out that the modified scheme is still insecure 
I against the same known/chosen-plaintext attack. In addition, some other security defects existing 
' in both the original and the modified schemes are also reported. 
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1. Introduction 
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ff^ ■ With the rapid development of information technology, multimedia data are transmitted over all 

, kinds of wired/wireless networks more and more frequently. Consequently, security of multimedia 
data becomes a serious concern in many applications. However, traditional text encryption schemes 
cannot be used in a naive way to protect multimedia data efficiently in some applications, mainly 
due to some special requirements of the whole multimedia system. This challenge stirs the design 
of special multimedia encryption schemes to become a hot research topic in the past two decades. 
^ ' Because of the subtle similarity between chaos and cryptography, a great number of multimedia 
encryption schemes based on chaos have been presented S 0] • Unfortunately, many of them 
have been found to have security problems from the cryptographical point of view [g, Q, @, 0]- 
Soi ne g eneral rules about evaluating security of chaos-based encryption schemes can be found in 



Since 2003, Pareek et al. have proposed a number of different encr yptio n schemes based on one 
or more chaotic maps [l2, 1^, 14 j_ 15 [.Recent cryptanalytic results 16 j_ 17, 18] have shown that all 



the three schemes proposed in [12l . 14l ] have security defects. In [15[, a new image encryption 
scheme based on the logistic and standard maps was proposed, where the two maps are used to 
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generate a pseudo-random number sequence (PRNS) controlling two kinds of encryption operations. 
In [l^ . Rhouma et al. reported that the scheme is not secure in the sense that an equivalent key 
can be obtained from only one known/chosen plain-image and the corresponding cipher-i mag e. To 



resist Rhouma et al.'s attack, a modified version of the original scheme was proposed in 20(]. The 
present paper reports the following findings: 1) the modified image encryption scheme can still be 
broken by the same known/chosen-plaintext attack under the same condition; 2) there are some 
other security defects existing in both the modified and the original schemes. 

The rest of this paper is organized as follows. Section [2] briefly introduces the image encryption 
schemes under study and the known/chosen-plaintext attack reported in [l^. Our cryptanalytic 
results are presented in Sec. [3] in detail. The last section concludes the paper. 

2. The image encryption schemes under study and Rhouma et al.'s attack 

For both schemes, we make the following assumptions to ease our descriptioE0. The plaintext is 
a RGB true-color image of size H xW (height x width), which can be denoted hj an H xW matrix 
of 3-tuple pixel values I = o<t<H-i = {{R{i,j),G{i,j),B{i,j))} o<i<H-i . Similarly, the ci- 

0<j<W''-l 0<j<W'-l 

phertext corresponding to I is denoted by I' = {I' {i, j)} o<i<H-i = {{R' {i, j), G' {i, j), B' {i, j))} o<i<H-i 

-jL^M/-l 0<j<W~l 



o< 



To further facilitate our discussion, we adopt the terms in [20(] : the original image encryption scheme 
is called PPS09 and the modified one mPPS09. 



2.1. The original image encryption scheme PPS09 113 ] 

• Secret key: three floating-point numbers xq, yo, K, and one integer A^, where xq, yo G (0, 2tt), 
K > 18, 100 < iV < 1100. 

• Initialization: prepare data for encryption/decryption by performing the following steps. 

— Generate four XORing keys as follows: Xkey{l) = [256x0/ (27r)J , Xkey{2) = [256yo/(2vr)J, 
Xkey{3) = [i^mod 256j, Xkey{4) = (A^ mod 256). Then, generate a pseudo- image 
Ixkey = {{Rxkeyii,j),Gxkey{i,j),Bxkey{i,j))} o<r<H-i by filling ai\ H X W matrix with 

0<j<W~l 

the four XORing keys repeatedly: Rxkeyihj) = Xkey{{?>k vnod A) + 1), Gxkeyihj) = 
Xkey{{{3k + 1) mod 4) -hi), Bxkey{i,j) = Xkey{{{3k + 2) mod 4) -hi), where k = iW + j. 

— Iterate the standard map Eq. ([1]) from the initial conditions (xo,yo) for times to 
obtain a new chaotic state (xQ,yo)- Then, further iterate it for HW more times to get 
HW chaotic states {ixi,yi)}^[}i . 

{X = {x + K sm{y)) mod (27r), 
y = {y + x + K sin(y)) mod (27r), 

— Iterate the logistic map Eq. ([2]) from the initial condition zq = {{x'q + y'^) mod 1) for N 
times to get a new initial condition z'q. Then, further iterate it for HW times to get 
HW chaotic states {zi}fjf. 

z = 4z{l-z). (2) 



^To make the presentation more concise and more consistent, some notations in the original papers [ISl. 1201) are 
also modified. 
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— Generate a pseudo-image Icks = {{RcKsihj), GcKs{i,j),BcKsii,j))} o<^<H-l by filling 

0<j<W-l 

its R, G and B channels with the three chaotic key streams (CKS) {xk}^^, {yk}k=i ^^^d 
{zk}^J: RcKsihj) = L256xfc/(27r)J, GcKs{hj) = L256yfe/(2^)J , BcKsihj) = [256^^], 
where k = iW + j + 1. 

Encryption procedure: a simple concatenation of the following four encryption operations. 

— Confusion I: Mask the plain-image I by Ixkey to obtain I*, i.e., I* = I © Ixkey 

— Horizontal Diffusion (HD): Scan I* = j)} o<i<H-i rowwise from the upper-left 

0<j<lV-l 

pixel to the bottom-right one, and mask each pixel value (except for the first one) by its 
predecessor in the scan. Denoting the output of this step by I* = j')} o<i<H-i , the 

0<j<W-l 

HD procedure is described as follows: 1) /*(0, 0) = /*(0, 0); 2) for A; = 1, ... , HW - 1, 

r(i,j) = /*(i,j)er(i',/), (3) 

where i = [k/W\, j = {k mod W), i' = [{k - l)/W\, j' = {{k - 1) mod W). 

— Vertical Diffusion (VD): Scan I* columnwise from the bottom-right pixel to the upper- 
left one, and mask each pixel value (except for the first one) by its predecessor in the 
scan. Denoting the output of this step by I** = {R**{i,j),G**{i,j),B**{i,j)}o<i<H-i , 

0<j<W-l 

the VD procedure can be described as follows: 1) r*{H -l,W-l) = r{H -l,W- 1); 
2) for k = HW - 2, . . . , 0, 



r*(i,j) = r(i,i)e/**(i',j'), (4) 

where i = {k mod H), j = [k/H], i' = {{k + 1) mod H), f = [{k + 1)/H\, and 



I**ii',f) = {G**{i',j')(BB**{i',j'),R**{t',j')(BB**{i',j'),R**{i',j')(BG**{i',j')). 

— Confusion H: Mask the pixel values in I** with Icks to get the ciphertext I', i.e., 
I' = r* © Icks- 

Decryption procedure: the simple reversion of the above encryption procedure. 



2.2. Rhouma et al.'s attack IIh ] 

Denoting the horizontal and vertical diffusion processes by HD and VD, respectively, the en- 
cryption procedure of PPS09 can be represented as follows: 



1' = YDiRD{I(Blxkey))(BlcKS- (5) 



In 



19l |. Rhouma et al. showed that the HD and VD processes are commutative with XOR 
operations: 

HD(X©F) = HD(X)©HD(r), 
VD(X©y) = VD(X)©VD(r). 

Therefore, Eq. ([5]) is equivalent to the following one: 

I' = VD(HD(I)) © VD(HD(I;,fc,,)) © Icks- (6) 

Assuming Ikey = VD(HD(IxA:ey)) © IcifSi we can observe the following two important facts: 
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1. neither HD nor VD depends on the key; 

2. I^jei/ does not depend on the plaintext I or the ciphertext I'. 

The above facts immediately lead to a conclusion: I^gy can be used as an equivalent key to encrypt 
any plaintext of the same size H xW and decrypt any ciphertext of size H xW . A known/chosen- 
plaintext attack can be easily mounted to derive Ikey from a known/chosen plaintext I and its 
corresponding ciphertext l': 

Ikey = VD(HD(I)) e I'. (7) 



2.3. The modified image encryption scheme mPPS09 i2(\ l 

To enhance the security of PPS09 against Rhouma et al.'s attack, in [20(] Patidar et al. proposed 
a modified edition of PPS09 by making both HD and VD dependent on the secret key. 

The modified key-dependent HD and VD processes are denoted by mHD and mVD in [io! ]. 
Both mHD and mVD are based on 16 diffusion keys derived from the secret key (xq, yo) -^)- 

• for i = 1, . . . , 5, Dkey{i) = Yl'j=o ' W^^^ mod 256, where xq = ai.a2 • • • ais . . . and 
Oi are decimal digits representing xq; 

• for i = 6, . . . , 10, Dkey{i) = X]j=o ^3 (i-6)+j " 10^"-' mod 256, where yo = 61.62 ... 615 .. . and 
bi are decimal digits representing yo; 

• for z = 11, . . . , 15, Dkey{i) = l^j=o ^3.(4-11)+^ ■ 10^"-' mod 256, where K = . . . c\.C2 . . . C15 . . . 
and Cj are decimal digits representing K\ 

• Dkey{16) = {N mod 256). 

The mHD process is modified from HD by replacing Eq. ([3]) with the following equation: 

r{i,j) = e r{t',f) e Dkefik - 1), (8) 

where 

Dkey*{k) = {Dkey{{k mod 16) + 1), Dkey{{k mod 16) + 1), Dkey{{k mod 16) + 1)). 
The mVD process is modified from VD by replacing Eq. ^ with the following equation: 



r*{i,j) = r{i,j) © I**{i',j') Dkey**{k'), (9) 
where k' = HW — 2 — k and 

Dkey**{k') = {Dkey{3k' mod 16) + 1), Dkey{{{3k' + 1) mod 16) + 1), Dkey{{{3k' + 2) mod 16) + 1)). 



3. Cryptanalysis 

In this section, we first show that the key-dependent horizontal and vertical diffusion steps 
mHD and mVD do not increase the security of mPPS09 against Rhouma et al.'s attack. Then we 
point out some common security weaknesses in both PPS09 and mPPS09. 
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3.1. Insecurity of mPPS09 against Rhouma et al.'s attack 

Although both mHD and mVD are dependent on the secret key, we noticed that they can be 
represented in an equivalent form which renders the key-dependence useless. Assuming X is the 
input matrix and is a zero matrix of the same size as X, we have the following two lemmas. 

Lemma 1. mHD(X) = HD(X) mHD(0). 

Proof. This lemma can be easily proved with mathematical induction on k. 

For k = 0, i.e., i = j = 0, we have mHD(X(0,0)) = X{0,0) and HD(X(0, 0)) emHD(e(0, 0)) = 
-^(0, 0) (0, 0, 0) = X{0, 0). This lemma holds. Then, assume the lemma is true for k > 0, let us 
prove the case of A; + 1. 

For k + 1, i.e., i = [{k + 1)/W\, j = {{k + 1) mod W), i' = [k/W] and / = {k mod 
W), mRD{X{i,j)) = X{i,j) mHD(X(i', j')) © Dkey*{k). According to the assumption on 
k, we have mHB{X{i' = HD(X(i',/)) © mHD(e(i',/)). Thus, mRB{X{i,j)) = X{i,j) © 
RD{X{i',j'))®mRB{e{i',j'))®Dkey*{k). Noting that RB{X{i,j)) = X{i,j)®}lB{X{i',j')), we 
get mHD(X(i, j)) = B.B{X{i,j)) mRB{&{i'J')) Dkey*{k). Further note that mHD(e(i, j)) = 
e(i, j) mHD(e(i',/)) © Dkey*{k) = mHD(e(i',j')) Dkey*{k). This immediately leads to 
mHD(X(i, j)) = HD(X(i, j)) mHD(e(i, j))- □ 

Lemma 2. mVD(X) = VD(X) mVD(0). 

Proof. This lemma can be proved in a similar way to Lemma [H but the mathematical induction 
should be made in descending order on k (starting from k = HW — 1 and ending at /c = 0). □ 

The above two lemmas lead to the following proposition. 

Proposition 1. The encryption procedure of mPPS09 is equivalent to the following equation: 

l' = VD(HD(I))0/fcey, (10) 
where hey = \B{nB{lxkey)) © VD(mHD(e)) © mVD(G) © Icks- 

Proof. From the properties of HD & VD and Lemmas 1 & 2, we can make the following deduction: 

I' = mVD(mHD(I©Ixfcey))elcK5, 

= mVD(HD(I Ixkey) © mHD(e)) Icks, 

= VD(HD(I Ixkey) © mHD(e)) mVD(e) Icks, 

= VD(HD(I Ixkey)) © VD(mHD(G)) © mVD(e) © Icks, 

= VD(HD(I)) © VD(HD(I;,,,^)) © VD(mHD(e)) © mVD(e) © Icks, 

= VD(HD(I))©ifce,. 

This proves the proposition. □ 

Since mHD(0) and mVD(0) are both independent of the plaintext and the ciphertext, they are 
uniquely determined by the key {xo,yQ,K,N). This means that Ikey is also uniquely determined 
by the key {xo,yo, K, N). Therefore, I^ey can be used as an equivalent key of mPPS09 exactly in 
the same way as Ikey in PPS09. In fact, even the determination process of the equivalent key is 
also the same: 

ikey = VD(HD(I)) © I'. 
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This means that the same known/chosen-plaintext attack can be apphed to mPPS09 without any 
change to the program. In other words, the security of mPPS09 against Rhouma et al.'s attack 
remains the same as that of the original scheme PPS09. 

We have performed some experiments to verify the correctness of the conclusion. With the 
secret key {xo,yo,K,N) = (3.98235562892545, 1.34536356538912, 108.54365761256745, 110), the 
equivalent key Ikey was constructed from a known plain-image "Lenna" and the corresponding 
cipher-image, which are shown in Figs. [1^) and b), respectively. Then, I^g^ was used to recover a 
cipher-image shown in Fig. [1}:, and the plain-image "Peppers" (Fig. [T]l) was successfully recovered. 




c) 




Figure 1: An experimental result of the proposed known-plaintext attack: a) the known plain-image "Lenna"; b) the 
corresponding cipher-image; c) a cipher-image encrypted with the same key; d) the recovered plain-image "Peppers". 



3.2. Other security weaknesses of PPS09 and mPPS09 
3.2.1. Insufficient randomness of the PRNS {BcKsihj)} 



As illustrated in [2l[, the randomness of pseudo-random bit sequences derived from chaotic 



orbits of the logistic map is very weak. To further verify the randomness of the PRNS {BcKs{i^ j)} 
generated via the logistic map with control parameter 4.0, we tested 100 PRNSs of length 512 x 
512 = 262144 (the number of bytes used for encryption of a 512 x 512 plain color image) by using 
the NIST statistical test suite [i^]. The 100 sequences were generated with randomly selected 
secret keys, and transformed to 1-D bit sequences by concatenating the bits of all the elements. 
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For each test, the default significance level 0.01 was used. The results are shown in Table [TJ from 
which one can see that the PRNS {BcKsih j)} is not random enough. 



Table 1: The performed tests with respect to a significance level 0.01 and the number of sequences passing each test 
in 100 randomly generated sequences. 



Name of Test 


Number of Passed Sequences 


Frequency 


95 


Block Frequency (m = 100) 





Cumulative Sums-Forward 


93 


Runs 





Rank 





Non-overlapping Template (m = 9, B = 010000111) 


10 


Serial (m = 16) 





Approximate Entropy (m = 10) 





FFT 






3.2.2. Insufficient sensitivity with respect to change of plaintext 

In 15, 2^, Patidar et al. recognized that the sensitivity of cipher-image with respect to change 
of plain-image is very important. However, both PPS09 and mPPS09 are actually very far from 
the desired property. As well known in cryptography, this property is termed as avalanche effect. 
Ideally, it requires the change of any single bit of plain-image will make every bit of cipher-image 
change with a probability of one half. 

For both PPS09 and mPPS09, the following equation holds for two plain-images I and J = 
lelA: 

I'eJ' = (VD(HD(I))) e (VD(HD(J))), 
= VD(HD(I©J)), 
= VD(HD(Ia)). 

The above equation implies the following two facts: 

• any change in a single bitplane will not change any other bitplanes in the cipher-image; 

• a change in plain-image I a will cause a change pattern determined by VD(IID(Ia)), which 
is far from a random pattern. 

To show this defect clearly, we made an experiment by changing only one bit of the red channel 
of a plain-image. It is found that only some bits on the same bitplane in the corresponding 
cipher-image were changed. The locations of the changed bits can be seen from the differential 
cipher- image VD(HD(Ia)) and its three color channels as shown in Fig. [5J Apparently, the change 
pattern is far from random and balanced. 

4. Conclusion 

In this paper, the security of the image encryption scheme proposed in [20;] (a modified version 
of the one proposed in [l^) is re-evaluated. It is found that the scheme is still insecure against 
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a known/chosen-plaintext attack which can break the original scheme in 19|. In addition, two 
more security weaknesses of both the original and the modified image encryption schemes are 
reported: insufficient randomness of a PRNS involved, and insufficient sensitivity with respect to 
change of plain-image. Due to such a low level of security, we recommend not to use the image 
encryption schemes under study unless their security is further enhanced with more complicated 
countermeasures. 
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